From 264e7813d9ad36de90946ef531664d2cc6e8be3d Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 12 Jun 2013 14:13:17 -0400
Subject: [PATCH] Prepare 0.8.6-3wheezy2 wheezy-security update

---
 config/filter.d/apache-auth.conf      | 10 +++++++---
 config/filter.d/apache-common.conf    | 17 +++++++++++++++++
 config/filter.d/apache-nohome.conf    |  8 +++++++-
 config/filter.d/apache-noscript.conf  | 10 ++++++++--
 config/filter.d/apache-overflows.conf |  8 +++++++-
 debian/changelog                      |  8 ++++++++
 6 files changed, 54 insertions(+), 7 deletions(-)
 create mode 100644 config/filter.d/apache-common.conf

diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index 962fb2e3..ee5eeca3 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,9 +20,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] user .* authentication failure
-            [[]client <HOST>[]] user .* not found
-            [[]client <HOST>[]] user .* password mismatch
+failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/apache-common.conf b/config/filter.d/apache-common.conf
new file mode 100644
index 00000000..c3829e2f
--- /dev/null
+++ b/config/filter.d/apache-common.conf
@@ -0,0 +1,17 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters
+#
+# Author: Yaroslav Halchenko
+#
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+
+[DEFAULT]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]
diff --git a/config/filter.d/apache-nohome.conf b/config/filter.d/apache-nohome.conf
index b6a00005..32ceebdd 100644
--- a/config/filter.d/apache-nohome.conf
+++ b/config/filter.d/apache-nohome.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,7 +20,7 @@
 #          per-domain log files.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf
index 4746fbfb..20127e14 100644
--- a/config/filter.d/apache-noscript.conf
+++ b/config/filter.d/apache-noscript.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,8 +20,8 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
-            [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
+failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
+            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf
index 4567f7da..b33d81b9 100644
--- a/config/filter.d/apache-overflows.conf
+++ b/config/filter.d/apache-overflows.conf
@@ -5,13 +5,19 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
+failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/debian/changelog b/debian/changelog
index efe1bf33..259c2e94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high
+
+  * Anchor apache- filters failregexes to avoid possible DoS on servers
+    which enabled corresponding jails. Fix cherry-picked from upstream
+    0.8.9-29-g6ccd578 . See http://seclists.org/fulldisclosure/2013/Jun/66
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 12 Jun 2013 14:11:15 -0400
+
 fail2ban (0.8.6-3wheezy1) unstable; urgency=high
 
   * CVE-2012-5642: Escape the content of <matches> since its value could